// Platform

QHx binds trust to running systems.

QHx composes workload identity, policy-bound communication, and request notarization into one runtime path.

Request a demo Architecture →

001 · What changes

Execution becomes conditional.

QHx evaluates workload, node, flow, and request context before the exchange proceeds.

01Secrets stop pretending to be identity.

A secret proves possession. QHx identity is bound to a workload and the node on which it runs.

02Network location stops being the control plane.

Authorization follows workload identity, labels, policy, and flowspecs—not merely IP adjacency.

03Audit stops depending on memory.

Notarized requests can be verified after the short-lived SVID that created them has expired.

002 · Composition

Each component does one thing.

01

QHx Manager

Supervises the cluster and reconciles QHx policy, proxy configuration, and supporting resources.

02

QHx PKI

Issues workload-bound credentials, including X.509-SVIDs, from node and workload attestation.

03

QHx Attestor

Gates identity issuance using policy and, when enabled, TPM-backed platform evidence.

04

QHx Proxy

Mediates application traffic and carries it through mutually authenticated, encrypted workload tunnels.

05

QHx Notary

Creates long-lived, offline-verifiable receipts from selected workload requests and responses.

06

QHx CLI

Gives operators a direct interface for installation, inspection, and administration.

003 · Deployment

The core runs on Kubernetes. The trust model doesn't end there.

QHx Core deploys through Helm into Kubernetes environments on premises, in cloud regions, or at the edge. The operating model is broader: identity and policy attach to workloads and nodes instead of a single scheduler, network, or CPU architecture.

  • Transparent adoptionExisting HTTP and TCP services can be mediated by QHx Proxy rather than rewritten.
  • Heterogeneous computeContainers, VMs, bare-metal nodes, and edge systems can participate through deployment-specific integration paths.
  • Federated trustSeparate authorities can exchange trust bundles across trust domains.
  • Cryptographic agilityAlgorithms are selected through policy, including ML-DSA signatures and ML-KEM or hybrid key exchange.

// Platform

Trust becomes something the system can reason about.

Identity, posture, policy, and evidence become part of the same decision path. The threat model behind those choices is published in full.

View product suite → Threat model →